Oracle Identity Manager provides the SOA composite the details of the request by using XML. This is called the request payload. The SOA composite can use all or part of the payload to determine the next step(s) to take in the approval process. The payload format is fixed.

Oracle Identity Manager API calls (optional).

Oracle Identity Manager provides only the most essential information to the SOA composite to keep the payload small and also to ensure security. If the business process requires additional data, then you can use a Java embedding step to obtain more information about the requester, the beneficiary, or what is being requested. For information on how to invoke Oracle Identity Manager APIs, see Chapter 28, "Using APIs".

One or more Human Tasks.

Human tasks are steps in the overall business process where manual intervention, in the form of approvals, is required. A human task can consist of multiple steps, serial or parallel or a combination of both, where the task is assigned to one or more users or roles or a combination of both. You can define these human tasks and add notification, deadlines, and escalation rules. For information about how to design human tasks, see Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite.

Note:

In most approval scenarios, the composite contains only one human task. In some instances, additional human tasks may be required if the routing rules cannot be satisfied by using Oracle Business Rules. For example, the Resource Request composite contains multiple human tasks, one per resource. As a best practice, you must try to streamline the approval rules to facilitate reuse of the composites and human tasks.

One or more rulesets.

There are specific business requirements that must be met when fulfilling requests. SOA composites leverage Oracle Business Rules to satisfy these requirements. A collection of rules developed by using Oracle Business Rules is called a ruleset. A composite can have one or more rulesets. Human tasks can also leverage these rules to determine the participants and the task routing. For information about how to design human tasks, see Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite.

A certified version of JDeveloper, for example, JDeveloper 11.1.1.3.

The SOA Design Time, also known as the SOA Composite Editor Extension for JDeveloper.

20.2Predefined SOA Composites

Table 20-1 lists the predefined SOA composites in Oracle Identity Manager that can be used as approval processes.

Table 20-1 Predefined Workflow Composites

Workflow Composite

Description

DefaultRequestApproval

This is the default request-level approval. By default, the request-level approval goes to the System Administrator, xelsysadm, for request-level approval.

Note: For information about request-level approvals and defining approvals, see "Request Approvals" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.

DefaultOperationalApproval

This is the default operation-level approval. By default, the approval task is assigned to the System Administrator, xelsysadm, for operation-level approval.

BeneficiaryManagerApproval

This requires approval from the beneficiary's manager. This can be associated with the following:

The request models that have a beneficiary. Examples of such request models are Provision Resource and Assign Roles.

All user models except Create User and Self-Register User.

This composite must be associated at the operational level of approval because a request can have multiple beneficiaries at the request level.

DefaultRoleApproval

This SOA composite creates a single approval task that is assigned to the SYSTEM ADMINISTRATORS role for approval.

RequesterManagerApproval

This SOA composite creates a single approval task that is assigned to the requester's manager for approval.

Note: This cannot be associated with unauthenticated request models, such as Self Register User.

ResourceAdministratorApproval

This SOA composite creates a single approval task that is assigned to resource administrators for approval. This must be associated with the request models that are related to resources. This composite is used at the operational level of approval.

ResourceAuthorizerApproval

This SOA composite creates a single approval task that is assigned to resource authorizers (with highest priority) for approval. This must be associated with the request models that are related to resources. This composite is used at the operational level of approval.

DefaultSODApproval

This SOA composite creates an approval task that is assigned to the system administrator, starts SoD check, and after the SoD result is available, it creates another approval task assigned to the SOD Administrators role. This must be associated with request models to provision or modify resources at the operational level if SoD check is required.

Note:

Human tasks in these default composites are configured to send notifications to the assignee of the human task.

20.3 Developing an Approval Process for Oracle Identity Manager

To develop an approval process for Oracle Identity Manager:

Note:

As a part of developing an approval process for Oracle Identity Manager, you must create request datasets, upload the request datasets to MDS, create or use request templates, and create approval policies. For details, see Chapter 19, "Configuring Requests".

Create a JDeveloper workspace by using the new_project.xml utility. This utility is in the OIM_HOME/workflows/new-workflow/ directory. See "Creating a New SOA Composite" for details.

Open the JDeveloper workspace and modify the BPEL process and the human task as required.

20.5Enabling Oracle Identity Manager to Connect to SOA

Oracle Identity Manager connects to SOA as SOA administrator, for which the username is "weblogic" by default. During the Oracle WebLogic Server domain creation, if the username provided is other than this, then Oracle Identity Manager is not able to connect to SOA as SOA administrator. To enable Oracle Identity Manager to work with any Oracle WebLogic Server administrator user, and thereby, connect to SOA without any problem, perform the following postinstallation steps:

Login to Enterprise Manager by using the following URL:

http://ADMINSERVER_HOST:ADMINSERVER_PORT/em

Right click Identity and Access/oim(11.1.1.3.0), and select System Mbean Browser.